Forum Discussion
Finetuning Sentinel alert for user added to Azure Active Directory Privileged Groups
I am here to ask for help with finetuning an alert in Sentinel. The alert is called "User added to Azure Active Directory Privileged Groups", and it's triggered when a user is added to a privileged g...
Hi,
If you choose to edit the rule analytics you can update the query under "set rule analytics".
Here you will just add
| where InitiatedByDisplayName != "MS-PIM"
This should be added under the row
| where GroupName in~ (PrivilegedGroups)
| where InitiatedByDisplayName != "MS-PIM"
Regards
Jimmy Lindö
If you choose to edit the rule analytics you can update the query under "set rule analytics".
Here you will just add
| where InitiatedByDisplayName != "MS-PIM"
This should be added under the row
| where GroupName in~ (PrivilegedGroups)
| where InitiatedByDisplayName != "MS-PIM"
Regards
Jimmy Lindö